Folder within folders

November 14, 2022

Third-party due diligence: How to manage risk


Working with third parties requires trust. A vendor might seem very secure on paper, but if they’re dishonest or unreliable, you can’t trust them to protect sensitive data, or meet complex requirements like CCPA third-party standards. Third-party due diligence verifies a vendor’s integrity and compliance, enabling you to easily handle vendor reviews, manage third-party risk and build a productive business relationship.

What is third-party due diligence?

Third-party due diligence is a background check to establish that a vendor can be trusted for a particular role. The more risky the role, the more you need to look into the vendor’s background. For a low-risk vendor, it might be enough to verify basic details of the business and its reputation. For high-risk vendors, you may need to probe deeply into its background, business structure, and ownership, and even conduct on-the-ground inspections or audits.

Business due diligence needs to address both vendor integrity and specific obligations. Once you’ve established a vendor’s integrity, you can verify that they can be trusted to protect sensitive data, safeguard user privacy, and meet other legal, regulatory, and business obligations.

Due diligence v. due care

Due diligence and due care are both important concepts in vendor management, but they refer to different tasks. Third-party due diligence tasks ensure a vendor is up to your standards. Examples include:

  • Creating a risk management policy
  • Interviewing or monitoring vendors
  • Performing security and compliance audits

Due care is an ongoing routine to maintain your standards. Due care tasks include:

  • Educating employees and vendors in good privacy practices
  • Strengthening your network
  • Monitoring network traffic for suspicious activity
  • Applying privacy by designprinciples

Why (and when) is due diligence important?

Due diligence should be the first step in any new business relationship, or new phase in a business relationship. You should perform it whenever your business is considering:

  • Adding a new vendor
  • Giving an existing vendor new sensitive duties or responsibilities
  • Subcontracting business activities
  • Merging or acquiring a business
  • Seeking regulatory approval
  • Entering a new stage in your security and compliance strategy

Screening vendors

Starting with corporate due diligence can help you screen out unsuitable vendors, saving time on the rest of your vendor selection process. For vendors you choose to work with, third-party due diligence can help you spot which companies need more supervision and oversight. It also enables you to assign “risk classes” to existing vendors, so you’ll be able to identify which companies you can trust with more sensitive activities in the future.

Regulatory compliance

Regulatory due diligence provides the vendor visibility you need for regulatory compliance, particularly when the vendor is responsible for sensitive data. For example, to comply with the GDPR, you need to ensure that you can protect EU citizens’ data everywhere you store or process it.

If third-party due diligence shows your vendor is operating in a country with poor data privacy protections, you can take actions to compensate, such as restricting which offices will process the personal data, or using a different vendor.

Contract negotiations

Due diligence can be a powerful tool for negotiating with third-parties. You can identify red flags early on and use them as leverage to protect your company. For example, if a vendor has a dubious compliance record, you can set compliance goals and penalties, ensuring they address your concerns during the relationship. Third-party due diligence can also factor directly into contract pricing and valuation — especially if it shows that an organization may not be able to service their contracts or meet SLAs or other obligations.

Integrity due diligence

The basic purpose of integrity due diligence is to make sure a potential vendor does not pose undue risk. But what counts as undue risk? As with other areas of compliance, the level of risk tolerance depends on a range of factors. These are:

  • The criticality of the service

What are the potential consequences of your vendor failing to provide adequate services? Ifyour office supplies vendor fails to deliver, there will probably only be a minor impact on operations, and you can replace the vendor without too much trouble. But if the third-party hosting your ERP fails, it could cause major damage or even threaten business continuity.

  • Track record

Does the vendor have an established and verifiable record of ethical conduct and compliance? If a vendor is new or has a questionable record, or if you’re unable to easily verify their record, you’ll need to perform more extensive third-party due diligence.

  • Legal and compliance obligations

How does the vendor affect your compliance obligations? If you’re sharing sensitive personal information with vendors, you’ll need to make sure you can trust the vendor to protect the data and respond to data requests under privacy laws like the CCPA and GDPR. Similarly, a vendor processing IP or corporate secrets could expose you to legal actions if they were to breach confidentiality.

You should also consider other types of compliance obligations, such as the Foreign Corrupt Practices Act, sanctions, export laws, and labor laws. Careful and well-documented integrity due diligence will reduce the likelihood of partner malfeasance, and protect you in the unlikely event that a partner does break the law.

  • Reputational risks

Based on the vendor’s role, how severely could they impact your reputation? Consider what would happen if they had exploitative labor practices, a bad environment record, or defective or unsafe products.

What about unsavory public statements or political affiliations? Does the vendor have a history of making controversial statements or working against your company’s value and mission?

Keep in mind that the potential harm to your reputation (and therefore, the risk) will depend on the vendor’s role. For example, if your facilities maintenance contractor gets bad press, the impact on your company will probably be minimal. However, if there’s a scandal involving a vendor in a critical or public-facing role — for example, a key manufacturer or third-party customer support agency — the fallout could be much more serious.

  • Market

If you’re expanding into an emerging market, you need to be extremely careful. You may have less resources to verify vendor integrity, and the resources available could be less trustworthy.

In some areas, bribery and corruption are a fairly routine part of doing business. You should take special care in regions that lack safeguards for human rights, environmental protection, or safety — particularly if the local government has extensive power to spy on businesses or seize data and assets.

  • Sanctions and watchlists

Even in developed markets, there may be specific restrictions on who you can do business with and how you can work with them. You’ll need to consider sanctions, watchlists, and lists of politically exposed persons. State-owned entities (or entities where the state owns a significant interest) may also have special restrictions.

  • Risks and benefits of corruption

Third parties who could benefit greatly from breaking the law require a deeper integrity due diligence screening. Ask yourself:

  • Will the vendor have access to data and resources that a state or non-state actor wants?
  • Are there powerful interests with a motive to sabotage your company?
  • How easy would it be for the vendor to steal or sabotage your company? Would the risk likely justify the rewards?
  • How much damage could a malicious actor cause?
  • What recourse would you have if the vendor turned on you?
  • What about the vendor’s employees or subcontractors? Does the company have the ability to reign in malicious actors?

  • Assigning a risk level

Once you’ve considered these factors, assign each vendor a risk level. This level will determine what integrity due diligence activities you need to perform to verify the vendor.

Your due diligence framework should be flexible, so you can change risk level and customize your approach for each vendor based on your findings. Some vendors may prove riskier than you originally thought. In other cases, a vendor that initially seemed to require more scrutiny may prove to be low risk.

Additionally, risk level may change over the duration of your vendor relationship. New regulations and enforcement priorities, changing internal priorities, market shifts, and other factors may require you to reassess vendors, or change your risk assessment approach.

Level 1 due diligence

All vendors should start with a level 1 integrity assessment. For riskier vendors, Level 1 is the first stage of a more in-depth assessment.

The goal of level 1 due diligence is to verify basic information about the vendor. This may include:

  • Basic facts about the vendor, such as their size, capacity, and location.
  • Beneficial owners, management, and shareholders.
  • Screening vendors against global watchlists.
  • Consulting references or current or former clients.
  • Researching the company’s media coverage and social media presence.

Use third-party questionnaires and risk scoring to identify high risk vendors. Keep in mind you’re not just looking for red flags; reputable vendors in high-risk roles should be upgraded to Level 2 as well.

Level 2 and 3 screening are more resource intensive, so you may wish to use Level 1 to disqualify vendors with obvious red flags.

Level 2

Level 2 third-party due diligence takes a deeper look at vendors, resolving potential red flags and ensuring a vendor’s capabilities and integrity match the level of risk. Level 2 due diligence may include:

Digging into the company’s profile, structure and beneficiaries

  • Researching trade names, lines of business, employee base and other factors.
  • Unraveling the corporate structure. Is the company owned by a subsidiary in a different country?
  • Researching beneficiary ownership. Undisclosed beneficiaries may be linked to corruption, or pose unique compliance risks.

Litigation and Enforcement

If a vendor will have access to sensitive information, look into privacy enforcement actions and litigation. For foreign-based companies, look for FCPA enforcements as well. If the company has been subject to an enforcement action, what was the outcome?

In industries like tech and finance, enforcement actions have become quite common, and shouldn’t be automatically disqualifying. The outcome can actually provide evidence that the company has learned from its mistakes and improved its controls.

You should also look for other legal actions where relevant. It’s good to ask companies if they’ve been involved in any litigation over the last three years. Then, verify this information as a way to check if the company is being honest with you.

Privacy and security posture

For security and privacy-critical applications, find out what evidence the vendor has to prove they’re capable of protecting your data. Review their ISO 27001 or SOC 2 certification, or any other available audits.

You should also investigate internal practices. The company should have well-documented technology and privacy policies that show that they understand their role under relevant privacy laws.

Media and reputation

Take a deeper look at the company’s media profile. For foreign or multinational companies, you may need analysts who speak the local language to dig into local media reports.

Level 3: enhanced due diligence

Level 3 due diligence is generally for situations where level 2 due diligence was unable to fully vet a company. Often, this occurs when a company’s location or structure makes it difficult to verify its business credentials. For example, the vendor may be located in an emerging market without centralized, digital business records, or may have a complex network of subcontractors that can’t be fully investigated online.

For this enhanced due diligence, you will likely need on-the-ground investigators with expertise in local languages, anti-corruption, and other areas. Your team may need to do considerable digging to access local records, investigate legal issues, and look into local media and public perception.

Enhanced due diligence should be tuned for the particular needs of each vendor. In some cases, you may just need to visit a government office and verify a few details. In other cases, you will have to inspect facilities in-person, audit the vendor’s security, or perform other in-depth investigations.

Third-party due diligence is only the start

Due diligence lays the foundation for trust. But just because a vendor is honest doesn’t mean they’re up to the task. TerraTrue can help you manage vendors throughout your business relationship, controlling risk and ensuring your third parties continue to protect your users and your business.
Contact us for a free demo today.